- Knowledge Base
- Amazon Web Services
- Amazon Relational Database Service
- Aurora Database Instance Accessibility
Ensure that all the database instances running within an Amazon Aurora database cluster have the same accessibility (either public or private) in order to follow AWS cloud best practices.
This rule can help you with the following compliance standards:
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
It is highly recommended to have all the database instances running within an Aurora cluster as either publicly or privately accessible because in case of a failover, an instance might go from publicly accessible to privately accessible and obstruct the connectivity to the database cluster.
Audit
To identify Amazon Aurora clusters that have both private and public database instances, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.
03 In the navigation panel, under Amazon RDS, choose Databases.
04 Select the Aurora database cluster that you want to examine. To identify Aurora database clusters, check the database engine type available in the Engine column (i.e. Aurora MySQL or Aurora PostgreSQL).
05 Click on the name of the writer database instance provisioned within the selected Aurora cluster. Select the Connectivity & security tab and check the Public accessibility attribute value to determine whether the writer instance is publicly accessible or not. If the attribute value is Yes, the selected database instance is publicly accessible. If the value is No, the instance is not publicly accessible.
06 Click on the name of the reader database instance created for the selected Amazon Aurora cluster. Select the Connectivity & security tab and check the Public accessibility attribute value to determine whether the reader instance is publicly accessible or not. If the attribute value is Yes, the selected database instance is publicly accessible. If the value is No, the instance is not publicly accessible.
07 If the cluster database instances verified at step no. 5 and 6 have different values for the Public accessibility configuration attribute, the instances running within the selected Amazon Aurora database cluster does not have the same accessibility, therefore in case of failover, when the healthy instance is promoted as primary, the connectivity to the cluster will be lost.
08 Repeat steps no. 4 – 7 for each Amazon Aurora database cluster available within the current AWS region.
09 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-db-clusters command (OSX/Linux/UNIX) with custom query filters to list the names of all the AWS Aurora database clusters available within the selected AWS region:
aws rds describe-db-clusters --region us-east-1 --output table --query 'DBClusters[*].DBClusterIdentifier'
02 The command output should return a table with the requested cluster identifiers:
----------------------------- | DescribeDBClusters | +-----------------------------+ | cc-aurora-mysql-cluster | | cc-aurora-postgres-cluster | +-----------------------------+
03 Run describe-db-clusters command (OSX/Linux/UNIX) using custom filtering to list the names of the database instances available within the selected Aurora database cluster:
aws rds describe-db-clusters --region us-east-1 --db-cluster-identifier cc-aurora-mysql-cluster --query 'DBClusters[*].DBClusterMembers[*].DBInstanceIdentifier[]'
04 The command output should return a list with the requested instance identifiers (names):
[ "cc-aurora-mysql-cluster-instance-1", "cc-aurora-mysql-cluster-instance-2" ]
05 To describe the "PubliclyAccessible" attribute value for each database instance provisioned within the selected cluster, perform the following actions:
- Run describe-db-instances command (OSX/Linux/UNIX) using the name of the writer database instance as the identifier parameter to expose the accessibility status for the selected instance:
aws rds describe-db-instances --region us-east-1 --db-instance-identifier cc-aurora-mysql-cluster-instance-1 --query 'DBInstances[*].PubliclyAccessible'
- The command output should return the writer database instance accessibility (true for publicly accessible, false for privately accessible):
[ true ]
- Execute describe-db-instances command (OSX/Linux/UNIX) using the name of the reader database instance as the identifier parameter to expose the accessibility status for the reader instance:
aws rds describe-db-instances --region us-east-1 --db-instance-identifier cc-aurora-mysql-cluster-instance-2 --query 'DBInstances[*].PubliclyAccessible'
- The command output should return the reader database instance accessibility (true for public, false for private):
[ false ]
06 If the cluster database instances (writer and reader) verified at step no. 5 have different values for the "PubliclyAccessible" attribute, the instances provisioned for the selected Amazon Aurora database cluster does not have the same accessibility, therefore in case of failover, when the healthy instance is promoted as primary, the connectivity to the cluster will be lost.
07 Repeat steps no. 3 – 6 for each Amazon Aurora database cluster available in the selected AWS region.
08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To ensure that the database instances running within your Amazon Aurora clusters have the same accessibility (either public or private), perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.
03 In the navigation panel, under Amazon RDS, choose Databases.
04 Select the Amazon RDS database instance that you want to reconfigure (in this case the reader instance which is not publicly accessible), and choose Modify.
05 On the Modify DB instance: <instance-name> configuration page, perform the following actions:
- In the Connectivity section, choose Additional configuration, and select Publicly accessible to make the selected database instance publicly accessible.
- Choose Continue and review the configuration changes that you want to apply, available in the Summary of modifications section.
- In the Scheduling of modifications section, perform one of the following actions based on your workload requirements:
- Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
- Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window configured for the selected database instance. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your database application.
- Choose Modify DB instance to apply the configuration changes.
06 Repeat steps no. 4 and 5 for each database instance that you want to reconfigure, available within the selected Aurora cluster.
07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Run modify-db-instance command (OSX/Linux/UNIX) using the name of the database instance (in this case the reader instance) that you want to reconfigure as the identifier parameter, to change the database instance accessibility setting to publicly accessible using the --publicly-accessible parameter (if otherwise required, to make the instance privately accessible use the --no-publicly-accessible parameter). The following command request example makes use of --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your Aurora database application. If you skip adding the --apply-immediately parameter to the command request, Amazon Aurora will apply your changes during the next maintenance window:
aws rds modify-db-instance --region us-east-1 --db-instance-identifier cc-aurora-mysql-cluster-instance-2 --publicly-accessible --apply-immediately
02 The command output should return the configuration metadata for the modified database instance:
{ "DBInstance": { "PubliclyAccessible": false, "MasterUsername": "ccadmin", "MonitoringInterval": 0, "LicenseModel": "general-public-license", "VpcSecurityGroups": [ { "Status": "active", "VpcSecurityGroupId": "sg-0abcd1234abcd1234" } ], "InstanceCreateTime": "2021-05-12T08:00:00.677Z", "CopyTagsToSnapshot": true, "OptionGroupMemberships": [ { "Status": "in-sync", "OptionGroupName": "default:mysql-5-7" } ], "Engine": "mysql", "MultiAZ": false, "DBSecurityGroups": [], "DBParameterGroups": [ { "DBParameterGroupName": "default.mysql5.7", "ParameterApplyStatus": "in-sync" } ], "PerformanceInsightsEnabled": true, "AutoMinorVersionUpgrade": true, "PreferredBackupWindow": "06:02-06:32", "DBSubnetGroup": { "Subnets": [ { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-abcd1234", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1d" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-1234abcd", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1e" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-abcdabcd", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1b" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-12341234", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1a" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-abcd1234", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1f" } }, { "SubnetStatus": "Active", "SubnetIdentifier": "subnet-1234abcd", "SubnetOutpost": {}, "SubnetAvailabilityZone": { "Name": "us-east-1c" } } ], "DBSubnetGroupName": "default-vpc-abcdabcd", "VpcId": "vpc-abcdabcd", "DBSubnetGroupDescription": "Created from the AWS Management Console", "SubnetGroupStatus": "Complete" }, "ReadReplicaDBInstanceIdentifiers": [], "AllocatedStorage": 70, "DBInstanceArn": "arn:aws:rds:us-east-1:123456789012:db:cc-project5-mysql-database", "BackupRetentionPeriod": 7, "PreferredMaintenanceWindow": "thu:03:27-thu:03:57", "Endpoint": { "HostedZoneId": "ABCDABCDABCD", "Port": 3306, "Address": "cc-aurora-mysql-cluster-instance-2.abcdabcdabcd.us-east-1.rds.amazonaws.com" }, "DBInstanceStatus": "available", "IAMDatabaseAuthenticationEnabled": true, "EngineVersion": "5.7.30", "DeletionProtection": true, "AvailabilityZone": "us-east-1a", "DomainMemberships": [], "StorageType": "gp2", "DbiResourceId": "db-ABCDABCDABCDABCDABCDABCDAB", "CACertificateIdentifier": "rds-ca-2019", "StorageEncrypted": true, "AssociatedRoles": [], "DBInstanceClass": "db.t3.medium", "DbInstancePort": 0, "DBInstanceIdentifier": "cc-aurora-mysql-cluster-instance-2" } }
03 Repeat steps no. 1 and 2 for each database instance that you want to reconfigure, provisioned within the selected Aurora cluster.
04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- Trusted Advisor Best Practices (Checks)
- Aurora on Amazon RDS
- Viewing an Amazon Aurora DB Cluster
- Connecting to an Amazon Aurora DB Cluster
- Modifying an Amazon RDS DB Instance and Using the Apply Immediately Parameter
- AWS Command Line Interface (CLI) Documentation
- rds
- describe-db-clusters
- describe-db-instances
- modify-db-instance
Related RDS rules
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Aurora Database Instance Accessibility
Risk Level: Medium